Qualys Scanning for PCI Devices University of Minnesota

Transcription

1 Qualys is the vulnerability scanner that will be used to map and scan devices that are involved in credit card processing to meet the PCI-DSS quarterly internal scan and map requirement. This document provides background and responsibilities for how QualysGuard scanning, mapping and ticket remediation tracking will be used at the University of Minnesota by departments for servers and devices involved in credit card processing. Qualys maintains more extensive documentation of the product under Help on the QualysGuard Enterprise Suite menu bar. Scanner Responsibilities Follow the naming convention for Asset Groups (see Naming Conventions section). Create and maintain the list of IP addresses that should be included in the PCI list of devices that are on the University network. Include servers, desktops, printers, and other devices that are involved in credit card processing in your PCI-devices Asset Group. Discovery map your PCI subnet ranges (PCI-hostips Asset Group) at least monthly. Review the Map reports for unknown devices. Recommend scheduling daily maps. Scan all IP addresses in the PCI-devices Asset Group at least monthly. Recommend scheduling weekly scans when the devices are expected to be on-line using the PCI-hostips Asset Group. Review the scan results. o Fix and mitigate the high severity vulnerabilities flagged as PCI Failed within 30 days. Rerun the scan. o The list of hosts that were not alive during the scan is listed in the Appendix of the scan results. Schedule a follow up scan for when these devices will be powered on. Update your remediation plan/ mitigation strategy at least monthly for the open tickets created for high severity vulnerabilities. Use the Qualys Ticket Remediation to document proposed or approved remediation steps. Run PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP at least monthly to verify that all high severity vulnerabilities for PCI devices have been mitigated or resolved. Run the PCI Scan Report for Internal Scan report quarterly for all devices involved in credit card processing. For more information, see the section For the Quarterly Report. For the Quarterly Report: Compare the lists of host scanned for the current quarter to your unit s inventory list of hosts involved in credit card processing. All devices in your unit s inventory list must be scanned quarterly. Verify that the Reporting Asset Group PCI.COLLEGE.DEPT-Devices IP list has an entry (IP address) for each device that is involved in credit card processing Page 1 of 13

2 Verify that all hosts have a scan for the current quarter. Use the Asset Search feature for Asset Group PCI.COLLEGE.DEPT-Devices. Review the last scan date column. Verify that all PCI high severity vulnerabilities have been mitigated. Use the PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP report. Run and save a copy (outside of Qualys) of the PCI Scan Report for Internal Scan to document your unit s internal scan PCI compliance. Provide a copy to the Merchant Manager and University PCI Compliance office (cmgraves@umn.edu). Naming Conventions Reporting Asset Groups: o PCI.COLLEGE.DEPT-Devices Map & Scan Asset Groups: o COLLEGE.DEPT.PCI-hostips Other asset groups should begin with: o COLLEGE.DEPT Vulnerabilities Qualys uses 3 categories for classifying vulnerabilities (confirmed, potential and information). Within the category, there are 5 levels for vulnerabilities. o Confirmed (red) Security weaknesses verified by an active test o Potential (yellow) Security weaknesses that need manual verification o Information (blue) Configuration data High Severity Vulnerabilities for PCI o Required: Fix vulnerabilities with PCI FAIL status - must have the high severity mitigated (i.e., patching/configuration, other compensating control or documented as a false positive) for reporting. o Hosts involved in credit card processing must mitigate the risk for all vulnerabilities that appear on the PCI reports. o Documentation of the mitigation plan or compensating controls for high severity vulnerabilities must be in the Qualys Ticket Remediation. Tickets for unmitigated vulnerabilities need to be documented within 30 days of scan. o For false positives, send documentation supporting your request to have it reviewed as a false positive to abuse@umn.edu with subject PCI Internal Scan False Positive Request. Include the Qualys Ticket Remediation # and the IP address of the host. University Information Security group will review your request and respond. Priorities for Other Vulnerabilities o Recommended: Review Potential 4 & 5 (yellow) and fix, if applicable o Recommended: Review Confirmed 1, 2 & 3 (red) and fix, if applicable o Recommended: Review & assess the risk with the other vulnerabilities and fix if applicable Page 2 of 13

3 Additional information on Set Up, Scans, Maps, Ticket Remediation & Reports Asset Groups (See Asset Group Image) Go to Assets > Asset Groups Create a new group from the New menu or edit an existing group from the Quick Actions menu. Use the workflow to manage the asset group and click Save. o Follow the naming conventions for Asset Groups. o IPs, list all the IP addresses or IP ranges to be included in the Asset Group. o Domain, select None domain. o Scanner Appliances, select all listed. o Business/CVSS Information: o information on this tab is optional Scans (See Scan Asset Group, Scan Host and Scheduled Scan images) Go to Scans and choose New > Scan Enter scan details and click Launch. For scheduled scans, Go to Scans > Schedules and choose New > Schedule Scan Enter task details and click Save. o There are multiple scan policies and options for scheduling scans. Here are the basics. Schedule scan or scan immediately Option Profile: U of M Initial Options (default) Scanner Appliance: All Scanners in Asset Group; Select an internal scan appliance when listing IP addresses or ranges. If not scanning an asset group, the external scanner is used instead of internal. Scan by Asset Group, Select IPs or IP Range o When the scan is completed, review the scan report and mitigate the vulnerabilities identified. Scan Reports Quarterly- PCI Scan Report for Internal Scan Go to Reports. Then go to New > Scan Report > PCI Scan Template Type in title for the report Use the pull down on Template Based to select the report format (e.g., PCI Scan Report for Internal Scan) Select Report output format (e.g, PDF) Type in the Asset Group name or use the Select feature to search and select the asset group Page 3 of 13

4 Ad-Hoc Go to Reports. Then go to New > Scan Report > Template Based o There are multiple report formats available (see Report Templates section). Here are the basics. Type in title for the report Use the pull down on Template Based to select the report format (e.g., PCI+Confirmed 4-5 Technical Report- Select Asset Group or IP) Select Report output format (e.g, PDF, csv, etc) Type in the Asset Group name or use the Select feature to search and select the asset group Ticket Remediation Go to Remediation > Tickets Select Edit from the Quick Actions menu for a single ticket in the list. Or select multiple tickets in the list and select Edit from the Actions menu. o The main remediation policy will create tickets for all confirmed 4 & 5 or PCI related vulnerabilities for the IP s in PCI-Devices Asset Group. Tickets will be assigned to the user running the scan. Deadline date for determining overdue tickets will be 30 days Page 4 of 13

5 Report Templates o PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP Results as of the last scan Includes PCI FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report) or confirmed vulnerabilities at levels 4 & 5 Details on how to fix o PCI Scan Report for Internal Scan Results as of the last scan Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report). Details on how to fix o PCI Scan Report- Select Scan Results Use to run a PCI scan report for a prior period or a specific scan Results from a specific scan (includes option to include a specific IP) Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report). Details on how to fix o Technical Report- Select Asset Group or IP Results as of the last scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o Technical Report-Select Scan Results Results from a specific scan (includes option to include a specific IP) Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o UMN-Summary Report Results as of the last scan Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5) No detail on how to fix Page 5 of 13

6 Maps (See Map Asset Group, Scheduled Map and Unknown Devices Report images) Go to Scans > Maps and choose New > Map Enter map details and click Launch. o Similar to nmap o There are multiple discovery map policies and options for scheduling maps. Here are the basics. Schedule a map or launch a map immediately Option Profile: University of Minnesota Initial Options (default) Scanner Appliance: Internal scan appliance Map by Asset Group, Select IPs or IP Range o When the map is completed, review the map report for anomalies. o To identify changes to the list of hosts that are on the network, use the Map Report-Unknown Devices Template. Go to Reports. Then go to New > Map Report > Template Based. Select Unknown Devices Report for Report Template Type in title for the report Select Report output format (e.g, PDF, csv, etc) Select the Map results to compare On the report, the status column will report if an IP address has been Added or Removed when comparing the 2 map results. If an IP address appears on both map results, the status is Active Page 6 of 13

7 Images Asset Group Go to Assets > Asset Groups Create a new group from the New menu or edit an existing group from the Quick Actions menu. Use the workflow to manage the asset group and click Save Page 7 of 13

8 Scan Asset Group Go to Scans and choose New > Scan Enter scan details and click Launch. Scan Host Page 8 of 13

9 Scheduled Scan Go to Scans > Schedules and choose New > Schedule Scan Enter task details and click Save. Scheduling workflow tab Page 9 of 13

10 Map an Asset Group Go to Scans > Maps and choose New > Map Enter map details and click Launch Page 10 of 13

11 Scheduled Map Go to Scans > Schedules and choose New > Schedule Map Enter task details and click Save. Target Domains workflow tab Page 11 of 13

12 Scheduling workflow tab Page 12 of 13

13 Unknown Devices Report Page 13 of 13